Mercurial > p > roundup > code


  
3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     1 #


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     2 # Copyright (C) 2007 Stefan Seefeld


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     3 # All rights reserved.


3839


cf6c45201980
Varia

Stefan Seefeld <stefan@seefeld.name>
parents: 
3829
diff
changeset


     4 # For license terms see the file COPYING.txt.


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     5 #


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     6 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     7 import unittest, os, shutil, errno, sys, difflib, cgi, re


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     8 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


     9 from roundup.cgi.exceptions import *


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    10 from roundup import init, instance, password, hyperdb, date


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    11 from roundup.xmlrpc import RoundupInstance


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    12 from roundup.backends import list_backends


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    13 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    14 import db_test_base


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    15 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    16 NEEDS_INSTANCE = 1


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    17 


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    18 class TestCase(unittest.TestCase):


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    19 


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    20     backend = None


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    21 


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    22     def setUp(self):


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    23         self.dirname = '_test_xmlrpc'


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    24         # set up and open a tracker


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    25         self.instance = db_test_base.setupTracker(self.dirname, self.backend)


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    26 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    27         # open the database


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    28         self.db = self.instance.open('admin')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    29         self.joeid = 'user' + self.db.user.create(username='joe',


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    30             password=password.Password('random'), address='random@home.org',


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    31             realname='Joe Random', roles='User')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    32 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    33         self.db.commit()


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    34         self.db.close()


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    35         self.db = self.instance.open('joe')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    36         self.server = RoundupInstance(self.db, self.instance.actions, None)


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    37 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    38     def tearDown(self):


4104


d8c2d214d688
do all the pre-release stuff...

Richard Jones <richard@users.sourceforge.net>
parents: 
4083
diff
changeset


    39         self.db.close()


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    40         try:


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    41             shutil.rmtree(self.dirname)


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    42         except OSError, error:


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    43             if error.errno not in (errno.ENOENT, errno.ESRCH): raise


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    44 


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    45     def testAccess(self):


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    46         # Retrieve all three users.


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    47         results = self.server.list('user', 'id')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    48         self.assertEqual(len(results), 3)


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    49 


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    50         # Obtain data for 'joe'.


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    51         results = self.server.display(self.joeid)


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    52         self.assertEqual(results['username'], 'joe')


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    53         self.assertEqual(results['realname'], 'Joe Random')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    54 


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    55     def testChange(self):


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    56         # Reset joe's 'realname'.


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    57         results = self.server.set(self.joeid, 'realname=Joe Doe')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    58         results = self.server.display(self.joeid, 'realname')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    59         self.assertEqual(results['realname'], 'Joe Doe')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    60 


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    61         # check we can't change admin's details


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    62         self.assertRaises(Unauthorised, self.server.set, 'user1', 'realname=Joe Doe')


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


    63 


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    64     def testCreate(self):


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    65         results = self.server.create('issue', 'title=foo')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    66         issueid = 'issue' + results


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    67         results = self.server.display(issueid, 'title')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    68         self.assertEqual(results['title'], 'foo')


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    69 


3992


fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb

Richard Jones <richard@users.sourceforge.net>
parents: 
3973
diff
changeset


    70     def testFileCreate(self):


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    71         results = self.server.create('file', 'content=hello\r\nthere')


3992


fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb

Richard Jones <richard@users.sourceforge.net>
parents: 
3973
diff
changeset


    72         fileid = 'file' + results


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    73         results = self.server.display(fileid, 'content')


3992


fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb

Richard Jones <richard@users.sourceforge.net>
parents: 
3973
diff
changeset


    74         self.assertEqual(results['content'], 'hello\r\nthere')


fe2af84a5ca5
allow binary data for "content" props through rawToHyperdb

Richard Jones <richard@users.sourceforge.net>
parents: 
3973
diff
changeset


    75 


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    76     def testAction(self):


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    77         # As this action requires special previledges, we temporarily switch


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    78         # to 'admin'


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    79         self.db.setCurrentUser('admin')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    80         users_before = self.server.list('user')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    81         try:


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    82             tmp = 'user' + self.db.user.create(username='tmp')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    83             self.server.action('retire', tmp)


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    84         finally:


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    85             self.db.setCurrentUser('joe')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    86         users_after = self.server.list('user')


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    87         self.assertEqual(users_before, users_after)


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    88 


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    89     def testAuthDeniedEdit(self):


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    90         # Wrong permissions (caught by roundup security module).


3829


d0ac8188d274
Re-add failing test to make sure permissions are respected.

Stefan Seefeld <stefan@seefeld.name>
parents: 
3828
diff
changeset


    91         self.assertRaises(Unauthorised, self.server.set,


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    92                           'user1', 'realname=someone')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    93 


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    94     def testAuthDeniedCreate(self):


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    95         self.assertRaises(Unauthorised, self.server.create,


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    96                           'user', {'username': 'blah'})


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


    97 


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


    98     def testAuthAllowedEdit(self):


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


    99         self.db.setCurrentUser('admin')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


   100         try:


4241


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   101             try:


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   102                 self.server.set('user2', 'realname=someone')


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   103             except Unauthorised, err:


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   104                 self.fail('raised %s'%err)


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


   105         finally:


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


   106             self.db.setCurrentUser('joe')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


   107 


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


   108     def testAuthAllowedCreate(self):


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


   109         self.db.setCurrentUser('admin')


3937


3c3077582c16
Add security checks and tests for xmlrpc interface.

Richard Jones <richard@users.sourceforge.net>
parents: 
3839
diff
changeset


   110         try:


4241


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   111             try:


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   112                 self.server.create('user', 'username=blah')


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   113             except Unauthorised, err:


1555a73f6451
py2.4 compat

Richard Jones <richard@users.sourceforge.net>
parents: 
4104
diff
changeset


   114                 self.fail('raised %s'%err)


4083


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


   115         finally:


bbab97f8ffb2
XMLRPC improvements:

Stefan Seefeld <stefan@seefeld.name>
parents: 
3992
diff
changeset


   116             self.db.setCurrentUser('joe')


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   117 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   118 def test_suite():


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   119     suite = unittest.TestSuite()


3973


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


   120     for l in list_backends():


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


   121         dct = dict(backend = l)


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


   122         subcls = type(TestCase)('TestCase_%s'%l, (TestCase,), dct)


85cbaa50eba1
xml-rpc security checks and tests across all backends [SF#1907211]

Richard Jones <richard@users.sourceforge.net>
parents: 
3937
diff
changeset


   123         suite.addTest(unittest.makeSuite(subcls))


3828


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   124     return suite


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   125 


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   126 if __name__ == '__main__':


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   127     runner = unittest.TextTestRunner()


ba6ba8d6bcc1
Initial checkin for new xmlrpc frontend.

Stefan Seefeld <stefan@seefeld.name>
parents: 
diff
changeset


   128     unittest.main(testRunner=runner)
author	Richard Jones <richard@users.sourceforge.net>
date	Fri, 08 Oct 2010 03:35:51 +0000
parents	1555a73f6451
children	261c9f913ff7
rev	line source
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	1 #
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	2 # Copyright (C) 2007 Stefan Seefeld
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	3 # All rights reserved.
3839 cf6c45201980 Varia Stefan Seefeld <stefan@seefeld.name> parents: 3829 diff changeset	4 # For license terms see the file COPYING.txt.
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	5 #
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	6
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	7 import unittest, os, shutil, errno, sys, difflib, cgi, re
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	8
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	9 from roundup.cgi.exceptions import *
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	10 from roundup import init, instance, password, hyperdb, date
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	11 from roundup.xmlrpc import RoundupInstance
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	12 from roundup.backends import list_backends
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	13
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	14 import db_test_base
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	15
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	16 NEEDS_INSTANCE = 1
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	17
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	18 class TestCase(unittest.TestCase):
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	19
85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	20 backend = None
85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	21
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	22 def setUp(self):
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	23 self.dirname = '_test_xmlrpc'
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	24 # set up and open a tracker
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	25 self.instance = db_test_base.setupTracker(self.dirname, self.backend)
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	26
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	27 # open the database
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	28 self.db = self.instance.open('admin')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	29 self.joeid = 'user' + self.db.user.create(username='joe',
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	30 password=password.Password('random'), address='random@home.org',
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	31 realname='Joe Random', roles='User')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	32
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	33 self.db.commit()
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	34 self.db.close()
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	35 self.db = self.instance.open('joe')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	36 self.server = RoundupInstance(self.db, self.instance.actions, None)
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	37
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	38 def tearDown(self):
4104 d8c2d214d688 do all the pre-release stuff... Richard Jones <richard@users.sourceforge.net> parents: 4083 diff changeset	39 self.db.close()
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	40 try:
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	41 shutil.rmtree(self.dirname)
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	42 except OSError, error:
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	43 if error.errno not in (errno.ENOENT, errno.ESRCH): raise
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	44
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	45 def testAccess(self):
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	46 # Retrieve all three users.
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	47 results = self.server.list('user', 'id')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	48 self.assertEqual(len(results), 3)
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	49
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	50 # Obtain data for 'joe'.
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	51 results = self.server.display(self.joeid)
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	52 self.assertEqual(results['username'], 'joe')
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	53 self.assertEqual(results['realname'], 'Joe Random')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	54
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	55 def testChange(self):
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	56 # Reset joe's 'realname'.
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	57 results = self.server.set(self.joeid, 'realname=Joe Doe')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	58 results = self.server.display(self.joeid, 'realname')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	59 self.assertEqual(results['realname'], 'Joe Doe')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	60
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	61 # check we can't change admin's details
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	62 self.assertRaises(Unauthorised, self.server.set, 'user1', 'realname=Joe Doe')
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	63
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	64 def testCreate(self):
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	65 results = self.server.create('issue', 'title=foo')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	66 issueid = 'issue' + results
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	67 results = self.server.display(issueid, 'title')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	68 self.assertEqual(results['title'], 'foo')
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	69
3992 fe2af84a5ca5 allow binary data for "content" props through rawToHyperdb Richard Jones <richard@users.sourceforge.net> parents: 3973 diff changeset	70 def testFileCreate(self):
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	71 results = self.server.create('file', 'content=hello\r\nthere')
3992 fe2af84a5ca5 allow binary data for "content" props through rawToHyperdb Richard Jones <richard@users.sourceforge.net> parents: 3973 diff changeset	72 fileid = 'file' + results
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	73 results = self.server.display(fileid, 'content')
3992 fe2af84a5ca5 allow binary data for "content" props through rawToHyperdb Richard Jones <richard@users.sourceforge.net> parents: 3973 diff changeset	74 self.assertEqual(results['content'], 'hello\r\nthere')
fe2af84a5ca5 allow binary data for "content" props through rawToHyperdb Richard Jones <richard@users.sourceforge.net> parents: 3973 diff changeset	75
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	76 def testAction(self):
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	77 # As this action requires special previledges, we temporarily switch
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	78 # to 'admin'
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	79 self.db.setCurrentUser('admin')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	80 users_before = self.server.list('user')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	81 try:
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	82 tmp = 'user' + self.db.user.create(username='tmp')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	83 self.server.action('retire', tmp)
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	84 finally:
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	85 self.db.setCurrentUser('joe')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	86 users_after = self.server.list('user')
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	87 self.assertEqual(users_before, users_after)
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	88
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	89 def testAuthDeniedEdit(self):
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	90 # Wrong permissions (caught by roundup security module).
3829 d0ac8188d274 Re-add failing test to make sure permissions are respected. Stefan Seefeld <stefan@seefeld.name> parents: 3828 diff changeset	91 self.assertRaises(Unauthorised, self.server.set,
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	92 'user1', 'realname=someone')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	93
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	94 def testAuthDeniedCreate(self):
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	95 self.assertRaises(Unauthorised, self.server.create,
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	96 'user', {'username': 'blah'})
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	97
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	98 def testAuthAllowedEdit(self):
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	99 self.db.setCurrentUser('admin')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	100 try:
4241 1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	101 try:
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	102 self.server.set('user2', 'realname=someone')
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	103 except Unauthorised, err:
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	104 self.fail('raised %s'%err)
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	105 finally:
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	106 self.db.setCurrentUser('joe')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	107
3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	108 def testAuthAllowedCreate(self):
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	109 self.db.setCurrentUser('admin')
3937 3c3077582c16 Add security checks and tests for xmlrpc interface. Richard Jones <richard@users.sourceforge.net> parents: 3839 diff changeset	110 try:
4241 1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	111 try:
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	112 self.server.create('user', 'username=blah')
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	113 except Unauthorised, err:
1555a73f6451 py2.4 compat Richard Jones <richard@users.sourceforge.net> parents: 4104 diff changeset	114 self.fail('raised %s'%err)
4083 bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	115 finally:
bbab97f8ffb2 XMLRPC improvements: Stefan Seefeld <stefan@seefeld.name> parents: 3992 diff changeset	116 self.db.setCurrentUser('joe')
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	117
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	118 def test_suite():
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	119 suite = unittest.TestSuite()
3973 85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	120 for l in list_backends():
85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	121 dct = dict(backend = l)
85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	122 subcls = type(TestCase)('TestCase_%s'%l, (TestCase,), dct)
85cbaa50eba1 xml-rpc security checks and tests across all backends [SF#1907211] Richard Jones <richard@users.sourceforge.net> parents: 3937 diff changeset	123 suite.addTest(unittest.makeSuite(subcls))
3828 ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	124 return suite
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	125
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	126 if __name__ == '__main__':
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	127 runner = unittest.TextTestRunner()
ba6ba8d6bcc1 Initial checkin for new xmlrpc frontend. Stefan Seefeld <stefan@seefeld.name> parents: diff changeset	128 unittest.main(testRunner=runner)